n8n Patches Five Critical Flaws Including CVSS 9.4 RCE

The n8n workflow automation platform just can't catch a break. A batch of five new vulnerabilities dropped today, headlined by CVE-2026-25049 (CVSS 9.4)—an expression escape flaw that lets authenticated users execute arbitrary system commands on the host server. The kicker: it's a bypass of the fix for CVE-2025-68613, the CVSS 9.9 sandbox escape patched last year.

This is the fourth round of critical n8n vulnerabilities we've tracked in roughly six weeks. We covered the CVSS 10.0 Ni8mare flaw in January, followed by two more sandbox escape bugs discovered by JFrog. Organizations running self-hosted n8n instances need to update immediately—or accept that their automation platform is an open door.

How CVE-2026-25049 Works

The vulnerability exploits a fundamental mismatch between TypeScript's compile-time type system and JavaScript's runtime behavior. n8n's expression sandbox relies on input sanitization that checks whether values are strings. But as Endor Labs researcher Cris Staicu explained, "TypeScript cannot enforce these type checks on runtime attacker-produced values. When attackers craft malicious expressions at runtime, they can pass non-string values (such as objects, arrays, or symbols) that bypass the sanitization check entirely."

The practical attack looks like this: an authenticated user creates a workflow with a publicly accessible webhook—no authentication required on the webhook endpoint. By adding a single line of JavaScript using destructuring syntax, the workflow becomes a remote code execution gateway. Anyone on the internet who hits that webhook URL can run commands on the server.

SecureLayer7 researchers confirmed that bracket notation accessing properties like __proto__ or constructor combined with process access enables full shell command execution. The attack surface is wide because n8n is designed to expose webhooks publicly—that's the product's core functionality.

Four More Flaws in the Same Batch

CVE-2026-25049 wasn't alone. n8n disclosed four additional vulnerabilities simultaneously:

• CVE-2026-25053 (CVSS 9.4) — Command injection through the Git node, allowing attackers to execute arbitrary commands via crafted repository parameters
• CVE-2026-25056 (CVSS 9.4) — Arbitrary file write through the Merge node, enabling attackers to overwrite files on the server filesystem
• CVE-2026-25054 (CVSS 8.5) — Stored cross-site scripting via markdown rendering
• CVE-2026-25055 (CVSS 7.1) — Path traversal through the SSH node

Three of the five carry critical ratings. Ten researchers received acknowledgment for the disclosures, including Fatih Celik (who found the original CVE-2025-68613), Eilon Cohen from Pillar Security, and Sandeep Kamble from SecureLayer7.

Who's Affected and What to Do

All n8n versions before 1.123.17 and 2.5.2 are vulnerable. Cloud-hosted n8n instances were patched by the vendor, but self-hosted deployments—which are common among organizations that chose n8n specifically for data sovereignty—need manual updates.

1. Upgrade now to n8n version 1.123.17 or 2.5.2+
2. Audit existing workflows for suspicious expressions, particularly those using bracket notation like [["__proto__"]] or accessing constructor or process properties
3. Review webhook exposure and restrict unauthenticated webhooks where possible
4. Check for signs of compromise — unexpected files, modified configurations, or unusual outbound connections from the n8n host

Why This Matters

n8n sits in a dangerous position architecturally. It's an automation tool that connects to databases, APIs, internal services, and cloud platforms—often with privileged credentials. Compromising n8n means compromising every system it touches. And the pattern of repeated sandbox escapes suggests the platform's security model has a structural weakness, not just individual bugs. The expression evaluation subsystem—the same component behind the original CVSS 10.0 flaw—keeps breaking in new ways.

The frequency of critical n8n vulnerabilities should concern any organization using the platform in production. Four batches of critical flaws in six weeks points to deeper issues with how n8n handles expression evaluation—the same subsystem keeps breaking in new ways. For security teams evaluating workflow automation tools, this track record is worth factoring into risk assessments.